jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
customDetails:
Related_Binaries: TargetBinaryFilePath
JamfPro_Status: JamfPro
Related_File_hash: TargetBinarySHA256
TargetBinarySigner: TargetBinarySigningTeamID
TargetbinarySign: TargetbinarySignerType
Protect_Analytic: EventMessage
Protect_Event_Type: EventType
Protect_Tags: Tags
TargetBinarySignMsg: TargetBinarySigningInfoMessage
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
alertDetailsOverride:
alertTacticsColumnName: Tactics
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
alertDynamicProperties:
- value: EventVendor
alertProperty: ProviderName
- value: EventProduct
alertProperty: ProductName
- value: Techniques
alertProperty: Techniques
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
requiredDataConnectors:
- dataTypes:
- jamfprotectalerts_CL
connectorId: JamfProtect
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: false
matchingMethod: AllEntities
lookbackDuration: PT5H
createIncident: true
tactics:
name: Jamf Protect - Alerts
relevantTechniques:
severity: High
suppressionDuration: PT5H
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: OSFamily
columnName: DvcOs
- identifier: OSVersion
columnName: DvcOsVersion
entityType: Host
- fieldMappings:
- identifier: Address
columnName: Host_IPs
entityType: IP
- fieldMappings:
- identifier: CommandLine
columnName: TargetProcessCurrentDirectory
- identifier: ProcessId
columnName: TargetProcessId
entityType: Process
- fieldMappings:
- identifier: Algorithm
columnName: algorithm
- identifier: Value
columnName: TargetBinarySHA256
entityType: FileHash
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.6
suppressionEnabled: false
kind: NRT
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
